Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-1615

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability is due to improper verification of digital signatures for software images. An attacker could exploit this vulnerability by loading an unsigned software image on an affected device. A successful exploit could allow the attacker to boot a malicious software image. Note: The fix for this vulnerability requires a BIOS upgrade as part of the software upgrade. For additional information, see the Details section of this advisory. Nexus 3000 Series Switches are affected running software versions prior to 7.0(3)I7(5). Nexus 9000 Series Fabric Switches in ACI Mode are affected running software versions prior to 13.2(1l). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected running software versions prior to 7.0(3)I7(5). Nexus 9500 R-Series Line Cards and Fabric Modules are affected running software versions prior to 7.0(3)F3(5).

Published

2019-03-11T21:29:00.920

Last Modified

2024-11-21T04:36:56.073

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 6.7 (MEDIUM)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:P/A:P

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

3.9

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-347
Type: Primary
CWE-347

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	cisco	nx-os	7.0\(3\)i7\(3\)	Yes
Operating System	cisco	nx-os	9.2\(1\)	Yes
Operating System	cisco	nx-os	12.3\(0.97\)	Yes
Hardware	cisco	9432pq	-	No
Hardware	cisco	9536pq	-	No
Hardware	cisco	9636pq	-	No
Hardware	cisco	9736pq	-	No
Hardware	cisco	n9k-x9432c-s	-	No
Hardware	cisco	n9k-x9464px	-	No
Hardware	cisco	n9k-x9464tx2	-	No
Hardware	cisco	n9k-x9564px	-	No
Hardware	cisco	n9k-x9564tx	-	No
Hardware	cisco	n9k-x9636c-r	-	No
Hardware	cisco	n9k-x9636c-rx	-	No
Hardware	cisco	n9k-x97160yc-ex	-	No
Hardware	cisco	n9k-x9732c-ex	-	No
Hardware	cisco	n9k-x9732c-fx	-	No
Hardware	cisco	n9k-x9736c-ex	-	No
Hardware	cisco	n9k-x9736c-fx	-	No
Hardware	cisco	n9k-x9788tc-fx	-	No
Hardware	cisco	nexus_92160yc-x	-	No
Hardware	cisco	nexus_92300yc	-	No
Hardware	cisco	nexus_92304qc	-	No
Hardware	cisco	nexus_9236c	-	No
Hardware	cisco	nexus_9272q	-	No
Hardware	cisco	nexus_93108tc-ex	-	No
Hardware	cisco	nexus_93108tc-fx	-	No
Hardware	cisco	nexus_93120tx	-	No
Hardware	cisco	nexus_9316d-gx	-	No
Hardware	cisco	nexus_93180lc-ex	-	No
Hardware	cisco	nexus_93180yc-ex	-	No
Hardware	cisco	nexus_93180yc-fx	-	No
Hardware	cisco	nexus_93240yc-fx2	-	No
Hardware	cisco	nexus_9332c	-	No
Hardware	cisco	nexus_9336c-fx2	-	No
Hardware	cisco	nexus_9348gc-fxp	-	No
Hardware	cisco	nexus_93600cd-gx	-	No
Hardware	cisco	nexus_9364c	-	No
Hardware	cisco	nexus_9504	-	No
Hardware	cisco	nexus_9508	-	No
Hardware	cisco	nexus_9516	-	No
Hardware	cisco	x9636q-r	-	No
Operating System	cisco	nx-os	7.0\(3\)i7\(5\)	Yes
Hardware	cisco	n3k-c31128pq-10ge	-	No
Hardware	cisco	n3k-c3132c-z	-	No
Hardware	cisco	n3k-c3164q-40ge	-	No
Hardware	cisco	n3k-c3264q	-	No

References

http://www.securityfocus.com/bid/107397 Third Party Advisory, VDB Entry ([email protected])
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-sig-verif Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/107397 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-sig-verif Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)